Advanced Connection Options
From FarmShare
m (→Two-step Authentication) |
|||
| Line 11: | Line 11: | ||
On macOS and Linux systems you can enable GSSAPI by adding the following lines to <code>~/.ssh/config</code> on your local system. | On macOS and Linux systems you can enable GSSAPI by adding the following lines to <code>~/.ssh/config</code> on your local system. | ||
| - | + | <source> | |
| - | + | GSSAPIKeyExchange yes | |
| + | GSSAPIAuthentication yes | ||
| + | </source> | ||
In some cases GSSAPI authentication may be enabled by default, but <code>ssh</code> will not forward your Kerberos ticket to the remote system. This can be inconvenient, especially in the legacy FarmShare environment, or when you expect to access [[AFS]] on <code>rice</code>. You can enable forwarding by adding <code>GSSAPIDelegateCredentials yes</code> to <code>~/.ssh/config</code>, but you should do so ''only'' for trusted systems; to restrict the option, add it to a <code>Host</code> block: | In some cases GSSAPI authentication may be enabled by default, but <code>ssh</code> will not forward your Kerberos ticket to the remote system. This can be inconvenient, especially in the legacy FarmShare environment, or when you expect to access [[AFS]] on <code>rice</code>. You can enable forwarding by adding <code>GSSAPIDelegateCredentials yes</code> to <code>~/.ssh/config</code>, but you should do so ''only'' for trusted systems; to restrict the option, add it to a <code>Host</code> block: | ||
| - | + | <source> | |
| - | + | Host rice rice.stanford.edu rice?? rice??.stanford.edu cardinal cardinal.stanford.edu cardinal? cardinal?.stanford.edu | |
| + | GSSAPIDelegateCredentials yes | ||
| + | </source> | ||
See the <code>man</code> page for <code>ssh_config</code> for more information on GSSAPI options. | See the <code>man</code> page for <code>ssh_config</code> for more information on GSSAPI options. | ||
| Line 33: | Line 37: | ||
You can avoid some of the inconvenience of two-step authentication using <code>ssh</code> multiplexing. This feature creates a master session on initial connection to a particular host; subsequent sessions reuse the existing connection as a tunnel, so no further authentication is required. The master session can be configured to remain open even after you have closed the initial connection using the <code>ControlPersist</code> option. Add the following lines to <code>~/.ssh/config</code> file on your local system to enable multiplexing. | You can avoid some of the inconvenience of two-step authentication using <code>ssh</code> multiplexing. This feature creates a master session on initial connection to a particular host; subsequent sessions reuse the existing connection as a tunnel, so no further authentication is required. The master session can be configured to remain open even after you have closed the initial connection using the <code>ControlPersist</code> option. Add the following lines to <code>~/.ssh/config</code> file on your local system to enable multiplexing. | ||
| - | + | <source> | |
| - | + | ControlMaster auto | |
| - | + | ControlPath ~/.ssh/%r@%h:%p | |
| + | ControlPersist yes | ||
| + | </source> | ||
PuTTY and SecureCRT support multiplexing, but do not support <code>ControlPersist</code>, so the feature is of less utility for this purpose on Windows systems. | PuTTY and SecureCRT support multiplexing, but do not support <code>ControlPersist</code>, so the feature is of less utility for this purpose on Windows systems. | ||
| Line 47: | Line 53: | ||
Add the following line to <code>~/.ssh/config</code> on your local system. | Add the following line to <code>~/.ssh/config</code> on your local system. | ||
| - | + | <source>ServerAliveInterval 60</source> | |
=== PuTTY === | === PuTTY === | ||
| Line 61: | Line 67: | ||
The options described above are here collected into a configuration that should be safe and convenient for most users connecting from macOS and Linux systems. | The options described above are here collected into a configuration that should be safe and convenient for most users connecting from macOS and Linux systems. | ||
| - | + | # ~/.ssh/config | |
| - | + | ||
| - | + | # FarmShare 2 | |
| - | + | ||
| - | + | Host rice rice?? cardinal cardinal? | |
| - | + | HostName %h.stanford.edu | |
| - | + | ||
| - | + | Host rice rice.stanford.edu rice?? rice??.stanford.edu cardinal cardinal.stanford.edu cardinal? cardinal?.stanford.edu | |
| - | + | ControlMaster auto | |
| - | + | ControlPersist yes | |
| - | + | GSSAPIDelegateCredentials yes | |
| - | + | ||
| - | + | # Legacy FarmShare | |
| - | + | ||
| - | + | Host corn corn?? rye rye?? | |
| - | + | HostName %h.stanford.edu | |
| - | + | ||
| - | + | Host corn corn.stanford.edu corn?? corn??.stanford.edu rye rye.stanford.edu rye?? rye??.stanford.edu | |
| - | + | ControlMaster auto | |
| - | + | ControlPersist yes | |
| - | + | GSSAPIDelegateCredentials yes | |
| - | + | ||
| - | + | # General Configuration | |
| - | + | ||
| - | + | Host * | |
| - | + | ControlPath ~/.ssh/%r@%h:%p | |
| - | + | GSSAPIKeyExchange yes | |
| - | + | GSSAPIAuthentication yes | |
| - | + | ServerAliveInterval 60 | |
| + | </source> | ||
Revision as of 13:23, 14 September 2017
Contents |
Public Key Authentication
Public key authentication is not supported on FarmShare systems.
GSSAPI Authentication
FarmShare systems do support password-less authentication using GSSAPI if you have a valid Kerberos ticket for the stanford.edu realm.
OpenSSH
On macOS and Linux systems you can enable GSSAPI by adding the following lines to ~/.ssh/config on your local system.
You need to specify a language like this: <source lang="html">...</source>
Supported languages for syntax highlighting:
abap4, abc, abnf, actionscript, ada, agda, algol, ampl, amtrix, applescript, arc, arm, as400cl, ascend, asp, aspect, assembler, ats, autohotkey, autoit, avenue, awk, bat, bbcode, bcpl, bibtex, biferno, bison, blitzbasic, bms, bnf, boo, c, ceylon, charmm, chill, clean, clearbasic, clipper, clojure, clp, cobol, coldfusion, crk, csharp, css, d, dart, diff, dylan, ebnf, eiffel, erlang, euphoria, express, fame, felix, fortran77, fortran90, frink, fsharp, fx, gambas, gdb, go, graphviz, haskell, haxe, hcl, html, httpd, icon, idl, idlang, inc_luatex, informix, ini, innosetup, interlis, io, jasmin, java, js, jsp, ldif, lhs, lilypond, limbo, lindenscript, lisp, logtalk, lotos, lotus, lua, luban, make, maple, matlab, maya, mercury, miranda, mod2, mod3, modelica, moon, ms, mssql, mxml, n3, nasal, nbc, nemerle, netrexx, nice, nsis, nxc, oberon, objc, ocaml, octave, oorexx, os, oz, paradox, pas, pdf, perl, php, pike, pl1, plperl, plpython, pltcl, pov, pro, progress, ps, ps1, psl, pure, pyrex, python, q, qmake, qu, r, rebol, rexx, rnc, rpg, rpl, ruby, s, sas, scala, scilab, sh, small, smalltalk, sml, snmp, snobol, spec, spn, sql, squirrel, sybase, tcl, tcsh, tex, ts, tsql, ttcn3, txt, upc, vala, vb, verilog, vhd, xml, xpp, yaiff, yang, znn
In some cases GSSAPI authentication may be enabled by default, but ssh will not forward your Kerberos ticket to the remote system. This can be inconvenient, especially in the legacy FarmShare environment, or when you expect to access AFS on rice. You can enable forwarding by adding GSSAPIDelegateCredentials yes to ~/.ssh/config, but you should do so only for trusted systems; to restrict the option, add it to a Host block:
You need to specify a language like this: <source lang="html">...</source>
Supported languages for syntax highlighting:
abap4, abc, abnf, actionscript, ada, agda, algol, ampl, amtrix, applescript, arc, arm, as400cl, ascend, asp, aspect, assembler, ats, autohotkey, autoit, avenue, awk, bat, bbcode, bcpl, bibtex, biferno, bison, blitzbasic, bms, bnf, boo, c, ceylon, charmm, chill, clean, clearbasic, clipper, clojure, clp, cobol, coldfusion, crk, csharp, css, d, dart, diff, dylan, ebnf, eiffel, erlang, euphoria, express, fame, felix, fortran77, fortran90, frink, fsharp, fx, gambas, gdb, go, graphviz, haskell, haxe, hcl, html, httpd, icon, idl, idlang, inc_luatex, informix, ini, innosetup, interlis, io, jasmin, java, js, jsp, ldif, lhs, lilypond, limbo, lindenscript, lisp, logtalk, lotos, lotus, lua, luban, make, maple, matlab, maya, mercury, miranda, mod2, mod3, modelica, moon, ms, mssql, mxml, n3, nasal, nbc, nemerle, netrexx, nice, nsis, nxc, oberon, objc, ocaml, octave, oorexx, os, oz, paradox, pas, pdf, perl, php, pike, pl1, plperl, plpython, pltcl, pov, pro, progress, ps, ps1, psl, pure, pyrex, python, q, qmake, qu, r, rebol, rexx, rnc, rpg, rpl, ruby, s, sas, scala, scilab, sh, small, smalltalk, sml, snmp, snobol, spec, spn, sql, squirrel, sybase, tcl, tcsh, tex, ts, tsql, ttcn3, txt, upc, vala, vb, verilog, vhd, xml, xpp, yaiff, yang, znn
See the man page for ssh_config for more information on GSSAPI options.
PuTTY
PuTTY supports GSSAPI authentication by default; to enable forwarding, select Connection → SSH → Auth → GSSAPI → Allow GSSAPI credential delegation.
SecureCRT
SecureCRT supports GSSAPI authentication, but it is disabled by default. To enable GSSAPI, open the Session Options dialog and select Connection → SSH2 → Authentication → GSSAPI and Connection → SSH2 → Authentication → Key exchange → Kerberos (Group Exchange). SecureCRT attempts authentication and key exchange methods in the order listed, so these methods should be moved to the top of their respective stacks. Delegation is enabled by default when GSSAPI authentication is selected.
Two-step Authentication
You can avoid some of the inconvenience of two-step authentication using ssh multiplexing. This feature creates a master session on initial connection to a particular host; subsequent sessions reuse the existing connection as a tunnel, so no further authentication is required. The master session can be configured to remain open even after you have closed the initial connection using the ControlPersist option. Add the following lines to ~/.ssh/config file on your local system to enable multiplexing.
You need to specify a language like this: <source lang="html">...</source>
Supported languages for syntax highlighting:
abap4, abc, abnf, actionscript, ada, agda, algol, ampl, amtrix, applescript, arc, arm, as400cl, ascend, asp, aspect, assembler, ats, autohotkey, autoit, avenue, awk, bat, bbcode, bcpl, bibtex, biferno, bison, blitzbasic, bms, bnf, boo, c, ceylon, charmm, chill, clean, clearbasic, clipper, clojure, clp, cobol, coldfusion, crk, csharp, css, d, dart, diff, dylan, ebnf, eiffel, erlang, euphoria, express, fame, felix, fortran77, fortran90, frink, fsharp, fx, gambas, gdb, go, graphviz, haskell, haxe, hcl, html, httpd, icon, idl, idlang, inc_luatex, informix, ini, innosetup, interlis, io, jasmin, java, js, jsp, ldif, lhs, lilypond, limbo, lindenscript, lisp, logtalk, lotos, lotus, lua, luban, make, maple, matlab, maya, mercury, miranda, mod2, mod3, modelica, moon, ms, mssql, mxml, n3, nasal, nbc, nemerle, netrexx, nice, nsis, nxc, oberon, objc, ocaml, octave, oorexx, os, oz, paradox, pas, pdf, perl, php, pike, pl1, plperl, plpython, pltcl, pov, pro, progress, ps, ps1, psl, pure, pyrex, python, q, qmake, qu, r, rebol, rexx, rnc, rpg, rpl, ruby, s, sas, scala, scilab, sh, small, smalltalk, sml, snmp, snobol, spec, spn, sql, squirrel, sybase, tcl, tcsh, tex, ts, tsql, ttcn3, txt, upc, vala, vb, verilog, vhd, xml, xpp, yaiff, yang, znn
PuTTY and SecureCRT support multiplexing, but do not support ControlPersist, so the feature is of less utility for this purpose on Windows systems.
Keep-alive
A connection that is left open but idle might be closed after some time. Many SSH clients have a keep-alive feature that can be used to prevent idle disconnections.
OpenSSH
Add the following line to ~/.ssh/config on your local system.
You need to specify a language like this: <source lang="html">...</source>
Supported languages for syntax highlighting:
abap4, abc, abnf, actionscript, ada, agda, algol, ampl, amtrix, applescript, arc, arm, as400cl, ascend, asp, aspect, assembler, ats, autohotkey, autoit, avenue, awk, bat, bbcode, bcpl, bibtex, biferno, bison, blitzbasic, bms, bnf, boo, c, ceylon, charmm, chill, clean, clearbasic, clipper, clojure, clp, cobol, coldfusion, crk, csharp, css, d, dart, diff, dylan, ebnf, eiffel, erlang, euphoria, express, fame, felix, fortran77, fortran90, frink, fsharp, fx, gambas, gdb, go, graphviz, haskell, haxe, hcl, html, httpd, icon, idl, idlang, inc_luatex, informix, ini, innosetup, interlis, io, jasmin, java, js, jsp, ldif, lhs, lilypond, limbo, lindenscript, lisp, logtalk, lotos, lotus, lua, luban, make, maple, matlab, maya, mercury, miranda, mod2, mod3, modelica, moon, ms, mssql, mxml, n3, nasal, nbc, nemerle, netrexx, nice, nsis, nxc, oberon, objc, ocaml, octave, oorexx, os, oz, paradox, pas, pdf, perl, php, pike, pl1, plperl, plpython, pltcl, pov, pro, progress, ps, ps1, psl, pure, pyrex, python, q, qmake, qu, r, rebol, rexx, rnc, rpg, rpl, ruby, s, sas, scala, scilab, sh, small, smalltalk, sml, snmp, snobol, spec, spn, sql, squirrel, sybase, tcl, tcsh, tex, ts, tsql, ttcn3, txt, upc, vala, vb, verilog, vhd, xml, xpp, yaiff, yang, znn
PuTTY
Select Connection → Sending of null packets to keep session active → Seconds between keepalives (0 to turn off) 60 and Connection → Low-level TCP connection options → Enable TCP keepalives (SO_KEEPALIVE option).
SecureCRT
In the Session Options dialog, select Terminal → Anti-idle → Send protocol NO-OP every 60 seconds.
Suggested OpenSSH Configuration
The options described above are here collected into a configuration that should be safe and convenient for most users connecting from macOS and Linux systems.
- ~/.ssh/config
- FarmShare 2
Host rice rice?? cardinal cardinal?
HostName %h.stanford.edu
Host rice rice.stanford.edu rice?? rice??.stanford.edu cardinal cardinal.stanford.edu cardinal? cardinal?.stanford.edu
ControlMaster auto ControlPersist yes GSSAPIDelegateCredentials yes
- Legacy FarmShare
Host corn corn?? rye rye??
HostName %h.stanford.edu
Host corn corn.stanford.edu corn?? corn??.stanford.edu rye rye.stanford.edu rye?? rye??.stanford.edu
ControlMaster auto ControlPersist yes GSSAPIDelegateCredentials yes
- General Configuration
Host *
ControlPath ~/.ssh/%r@%h:%p GSSAPIKeyExchange yes GSSAPIAuthentication yes ServerAliveInterval 60
</source>
